Issue dated - 22nd September 2003

-

Previous Issues
CURRENT ISSUE
INDIA NEWS
STOCK FILE
FOCUS
INDIA TRENDS
NEWS ANALYSIS
OPINION
COMPANY WATCH
TECHSPACE
E-BUSINESS
PRODUCTS
EVENTS
COLUMNS
TECH FORUM

THE C# COLUMN
BETWEEN THE BYTES
TECHNOLOGY
SPECIALS <NEW>
Symantec Report
Security Headquarters
JobsDB
MINDPRINTS
HMA BANKBIZ
EC SERVICES
ARCHIVES/SEARCH
IT APPOINTMENTS
WRITE TO US
SUBSCRIBE/RENEW
CUSTOMER SERVICE
ADVERTISE
ABOUT US
 Network Sites
  IT People
  Network Magazine
  Business Traveller
  Exp. Hotelier & Caterer
  Exp. Travel & Tourism
  Exp. Pharma Pulse
  Exp. Healthcare Mgmt.
  Express Textile
 Group Sites
  ExpressIndia
  Indian Express
  Financial Express

 
Front Page > TechSpace > Story Print this Page|  Email this page

Best practices for Windows 2000 administration

Tech Forum - Dr. Nitin Paranjpe

I found some very useful tips for Windows 2000 administrators in the documentation. I checked with many administrators whether they knew about these tips. Most of them did not. So I though it would be a good idea to mention these tips here. There are tips for various aspects of Windows 2000 functionality.

Do not logon with administrative rights

Never logon to the system as ‘administrator’ or as a user who is a part of the administrator group. This may sound confusing. But it is not. In fact this is the most basic mechanism to ensure secure infrastructure. Various security threats, including Trojan horses, use an account logged as administrator to execute various harmful things and also gather information that is available only to administrators. In fact some viruses can create specific accounts with administrative rights by exploiting your logon session and then continue using this specific account without your notice as and when required.

The right way is to use the standard user or power-user groups. These rights are sufficient for most tasks. If you need administrative rights for performing specific tasks you have two options:

  1. Use the ‘Run as...’ functionality
  2. Temporarily logon as administrator, finish the task and then logon as a regular user again.

The ‘Run as...’ functionality is a very useful feature. While you are logged on as a regular (non-administrator) user, you can run programs (EXEs), Control Panel items, shortcuts and MSC files as another user.

Here are the steps:

  1. Locate the program/item that you want to run in Explorer
  2. If you just right-click on the item, you will see the relevant context menu. However the ‘Run as...’ command will not be shown. To see the Run as... option, keep the Shift key pressed and then click the right mouse button. Now the menu will have one additional option - Run as....
  3. Here the username dialog appears. You can type the userid, password and domain name. Now the selected EXE or item will run in the context of the selected user.

Obviously this feature is most often used to run in an administrator context when you are logged in as a regular user. However, you can also use it for any other user also.

For this feature to work, the Run as... service must be started.

Another nice thing about this feature is that you can create shortcuts to programs and MMC items which will always show the Run as... dialog. This way, you don’t have to remember to Shift - right-click every time you want to run the program. However, this does not work with Control Panel items.

  1. Create a shortcut to the program that you want to always run with Run as....
  2. Right click on the shortcut and choose Properties.
  3. Enable the checkbox ‘Run as different user’. That’s it.
  4. Now whenever you invoke the program, the Run as... dialog will automatically appear.

Encrypted file system

This feature has been around for quite some time. But I have observed that during deployment of Windows 2000 systems, this is rarely used. From a security perspective this is a great functionality. Here is a quick dump on what EFS is and how to use it effectively.

What is EFS?

All of us store files on disk—either on local machines or servers. Now, the regular method of preventing access to files and folders is by using user login based access control. This works fine. But the problem is that intruders and hackers are very smart people. If they can’t break in with your username and password, they can always find some other means of gaining access to the files stored on disk. Once a hacker has access to the file, the entire contents of the file are fully readable. Thus simple directory and file level access rights is simply not sufficient to ensure security of the content.

EFS solves this problem by encrypting the files you store on hard disks. The files encrypted by one user cannot be decrypted by another user. Even if the intruder can somehow gain access to the file, they can’t read it. So if your laptop is stolen or your server disk is accessed by a hacker they can’t still misuse the data. Of course they can delete the files. But that is still better than exposing the contents of files.

An encrypted file does not protect against deletion.

To encrypt a file:

  1. Open Explorer and locate the file.
  2. Right-click and choose Properties.
  3. Click on the Advanced… button.
  4. Enable the check box "Encrypt contents to secure data"
  5. Now the file can be opened only by the currently logged on user.
  6. You can also encrypt a folder (and its contained files) also in the same manner.

Please note:

  1. Encrypting a file does not change the access rights. Other users who have rights to access the file can still access the file and even delete it (if they have the rights). However, they cannot see the contents of the file any longer.
  2. If you copy this file to another computer that has a FAT partition, the file will not remain encrypted.
  3. Once you encrypt a file you can continue to use it as any other file. You don’t have to remember that this is an encrypted file. Nor do you have to take any effort to decrypt it. Decryption is handled automatically by the operating system.
  4. If you copy and paste the file somewhere else on the same hard disk, it will retain encryption. However, if you drag-drop the file, the encryption is lost.
  5. You cannot share a file that is encrypted.
  6. Data transferred over the network is not encrypted by this feature. This protects only files. For network level encryption you have to use other features like SSL or IPSec.

Ideally you should first make a habit to store all your files in My Documents. Then encrypt the entire My Documents folder (and all subfolders). This is a very important tip for laptop users who carry sensitive data along. This is because laptops are much more vulnerable to being stolen than desktop computers or servers.

Recovery Agent

Now what happens if a user leaves the company and has encrypted files? You cannot decrypt these files. If these files contain organisation specific data you need a method of decrypting files without the original user being available.

For this purpose you need to have an administrator who is called Recovery Agent. This is a special administrative account that has a special recovery certificate issued (X509 V3). This administrator can decrypt files encrypted by another user.

EFS creates a private-public key pair for encryption. If you need to recover the contents of the file when the user is not available or if the private key is lost, it is still possible to recover it. EFS creates a recovery certificate. This recovery certificate should be kept at a safe place by the recovery administrator. Using this certificate, encrypted files can be decrypted when the need arises.

Storing recovery information

The recovery information is kept in recovery keys. These keys should be exported to a file and the file should be copied to a floppy or a CD and kept in a separate, safe place. Using these keys, you can recover encrypted files.

To export recovery keys you need to run the Certificates Snap-in in the MMC manager. The exported file contains the private key of the user that is protected using a password (which you have to specify before exporting. This password is not the same as your logon password). The file has a PFX extension. This PFX file can be used to recover encrypted files.

User education

User education is important to ensure a successful implementation of EFS. For example, the default ‘Temp’ folder also needs to be encrypted in addition to ‘My Documents’. This is because many programs create temporary copies of files being edited in the Temp folder. If this is not encrypted, the data is vulnerable.

Secondly, user created data should not be scattered across multiple directories. It is very important to inculcate the discipline of using a particular folder for centralising the encryption administration in the hard disk.

If files need to be shared or sent across to others and you still want to encrypt contents, EFS is not useful. For this purpose you need to either use application specific password protection or use digital certificates enabled messaging.

When you copy encrypted files to other computers that support EFS, your encryption certificate and private key must be available on those computers. This needs to be taken into account when deploying EFS across the organisation.

About the Author:Dr Nitin Paranjape is the Chairman and MD of Maestros (Mediline). He is a consultant with many organisations, covering appropriate technology utilisation, business application of relevant technology, application architecture and audit as well as knowledge transfer. He has authored more than 650 articles on various technology-related subjects. He can be contacted at nitin@mediline.co.in
<Back to top>


© Copyright 2003: Indian Express Group (Mumbai, India). All rights reserved throughout the world. This entire site is compiled in
Mumbai by The Business Publications Division of the Indian Express Group of Newspapers.
Please contact our Webmaster for any queries on this site.